Data is yet again at the top of the agenda in the UK Parliament. Seeking to balance the need for the protection of privacy of data and enabling data-driven growth, the UK Department for Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill (“Bill”) on March 8, 2023, after the withdrawal of the Bill’s predecessor.

Rather than repealing the existing data protection laws in the UK, namely the UK General Data Protection Regulation (“UK GDPR”) (in force since the UK’s departure from the European Union at the end of 2021) and the Data Protection Act 2018 (“DPA”), the Bill intends to amend specific provisions of the data protection rules so that they become more flexible and tailored to the specific conditions of businesses to enable businesses to navigate the rules more easily and cost-effectively. The Bill moves away from the ‘prescriptive tick box’ approach encapsulated within the UK GDPR and DPA, aiming to reduce the burden on businesses in the hope of boosting the economy by £4.7 billion over the next decade through data-driven growth.

Highlights of the key changes proposed by the Bill:

(a) Accountability

• Original position: Businesses are required to follow a rigid accountability framework, which may include designating a data protection officer and maintaining specified forms of detailed records about processing activities, etc.
• Changes: A privacy management programme will replace the current accountability framework; this will allow businesses to replace a data protection officer with a senior responsible individual and allow record-keeping that is ‘adequate’ for the purposes of the specific business.
• Effect: This will be especially beneficial to small and medium businesses which process data; rather than following a cookie-cutter compliance framework aligned to any size of business, compliance efforts will now be more reflective of the business’ own data processing activities.

(b) Legitimate Interests

• Original position: Under the existing rules businesses have relied on ‘legitimate interests’ as a lawful basis for processing personal data, but this requires the business to carry out a ‘balancing test’ to show that processing is necessary and to document how the interests of processing outweigh the rights of data subjects.
• Changes: The Bill introduces a new lawful basis for processing where it is necessary for a ‘recognised legitimate interest’ which does not require a ‘balancing test’ to be performed. However, the circumstances when this can be relied upon are narrow, and the Bill lists ‘recognised legitimate interests’ as safeguarding, crime prevention, and emergencies.
• Clarifications: Activities, such as direct marketing, internal transmission of data for administrative and network purposes, etc., will still be subject to the ‘balancing test’ previously required when seeking to rely on legitimate interests as the lawful ground for processing personal data.
• Effect: The Bill clarifies the meaning of ‘legitimate interests’ and introduces certainty as to when a ‘balancing test’ will be required, with the list of ‘recognised legitimate interests’ subject to regular reviews and updates as appropriate. This provides additional comfort to businesses which struggle to determine whether their reliance on ‘legitimate interests’ to use data is compliant and if appropriate safeguards have been implemented.

(c) Scientific Research

• Original position: The existing data protection rules provide for the processing of data for scientific research; however, the relevant provisions are dispersed across the UK GDPR and DPA, which creates ambiguity.
• Changes and Clarifications: The Bill incorporates a clearer and broader definition for ‘scientific research;’ for example, it now covers research regardless of whether it is privately funded or publicly and whether it is carried out commercially or non-commercially. As a result, consent provided when scientific research purposes for the use of the data have not been fully identified can remain valid under the Bill.
• Effect: It reduces the administrative burden on businesses to fully define scientific research purposes, which can evolve over time and avoids the need to seek further consents from data subjects.

(d) Electronic Marketing

• Original position: Current regulations have created a confusing set of rules in relation to keeping data for marketing purposes, regulating practices such as the use of cookies to track customer preferences, and strict requirements in soliciting data subjects’ explicit consent.
• Changes: Businesses are now able to store or access information without express consent for certain ‘low risks’ purposes, for example collecting information for statistical reasons with a view to making improvements, enhancing appearances or functionality of a website, or enabling installation of software for security purposes. It also facilitates a ‘soft opt-in’ rule for businesses to market by email or text to existing customers to provide them with information about similar goods and services.
• Effect: The Bill does not amend the technicality of the use of electronic marketing capabilities, e.g., cookies, ‘pop-ups’ etc.; however, in principle it represents a broader effort to cut ‘red-tape.’ For instance, it reduces the administrative burden on customers to click on ‘pop-up’ consents and for businesses to solicit express consent to make marketing efforts more seamless.

(e) International transfers of data

• Original position: International transfer of data has been supported and enabled where the UK deems another jurisdiction to be ‘adequate,’ i.e., that it has equivalent data protection rules.
• Changes: The Bill amends the current regulations in that it allows the Secretary of State to have the power to make regulations approving transfers of personal data to third countries or international organisations where the other party’s standard of protection is ‘not materially lower than’ in the UK. It represents a more risk-based approach to international data transfers than the prescriptive current approach.
• Effect: Businesses with cross-border operations will find it easier to transmit personal data to other parts of the world as the Bill emphasises a more risk-based approach in assessing whether a ‘third country’ satisfies the UK’s standard of data protection. It seems to imply that the assessment of ‘adequacy’ of data protection laws involves more than looking into a jurisdiction’s laws, and more on the particular policies of the recipients of the transferred data.

(f) Data Subject Access Requests

• Original position: Individuals whose data is being retained/processed have a right of access to their own personal data controlled by a business. Businesses can refuse a request or charge a reasonable fee only if they consider it ‘manifestly unfounded or excessive.’
• Changes and Clarifications: The Bill lowers the threshold for which businesses can either charge a reasonable fee or refuse an access request from individuals, in that a request can be denied if it is considered ‘vexatious or excessive.’
• Effect: The replacement of ‘manifestly unfounded’ with ‘vexatious’ allows businesses a wider scope to refuse an access request from individuals, reducing administrative burdens. Helpfully, the new rules also include clear guidance on the meaning of ‘vexatious.’

(g) Consequences of Breach

• Original position: The Information Commissioner has wide ranging powers to enforce against any breach of UK GDPR, including fines, notice to improve, etc.

• Changes: The Bill further extends the regulator’s enforcement powers in different ways. To name a few, the Information Commissioner now has the power to impose information notices on any person or communications provider to request any information for determining whether a breach has happened. Also, the regulator can now investigate and act against unsolicited direct marking communications regardless of whether they are received by the intended recipient, e.g., nuisance calls. A maximum fine of the higher of £17.5 million / approx. $21.8 million or 4% of a business’s total annual worldwide turnover is now applicable to such a breach, bringing the regulatory standards of unsolicited electronic marketing to the same standards as a breach of other UK GDPR regulations.

• Effect: The enhancement of the Information Commissioner’s power is to ensure that businesses do not abuse the flexibility enabled by the Bill, and also to crack down on particular areas of data protection compliance which were previously overlooked, such as nuisance calls.

The Balancing Act

It is evident that the Bill proposes changes that emphasise flexibility, reducing cost-ineffective red-tape, and ultimately aims to tailor data protection rules to the specific needs of businesses. However, concerns have already been raised during the consultation process with regard to data privacy protections. Open Rights Group commented that the Bill would, among other things, ‘weaken data subjects’ rights, water down accountability requirements and reduce the independence of the Information Commissioner’s Office. The balancing act of protecting data subject’s privacy rights and harnessing the power of data for businesses to grow is critical in ensuring the UK’s data compliance standards remain ‘adequate’ (the EU’s determination that UK’s privacy laws are equivalent to GDPR). Implementing overwhelmingly business-friendly policies might inadvertently harm the growth of some businesses that may incur costs in complying with the two varying regimes which will exist in the EU and the UK, if the Bill is passed, in order to take advantage of the flexibility the Bill provides. One thing is certain from the Bill — businesses which are already compliant with the current regulatory framework will not have to change their compliance framework to ensure compliance with the Bill.